Data protection statement
This data protection statement informs you about the type, scope and purpose of processing personal data (hereinafter abbreviated to “data”) within our online content and the associated websites, functions, content and online presences, e.g., our social-media profile (hereinafter referred to jointly as “online content”). With regard to the terms used, such as “processing” or “controller”, we refer to the definitions laid down in Article 4 of the EU’s General Data Protection Regulation (GDPR).
PKF WMS GmbH & Co. KG Wirtschaftsprüfungsgesellschaft Steuerberater Rechtsanwälte
Phone: +49 541 94422-0
Fax: +49 541 94422-44
Data protection agent
microPLAN IT-Systemhaus GmbH
Phone: +49 2572 936577
Type of processed data:
- Personal data (e.g., names, addresses).
- Contact details (e.g., e-mail, phone numbers).
- Content data (e.g., text input, photos, videos).
- Usage data (e.g., web pages visited, interest in content, access times).
- Meta/communications data (e.g., device information, IP addresses).
Data subject categories
Visitors to and users of online content (hereinafter we shall refer to the data subjects as “users”).
Purpose of processing
- Provision of online content, its function and content.
- Responding to contact queries and communication with users.
- Security precautions.
- Reach measurement / marketing
“Personal data” means any information relating to an identified or identifiable natural person (hereinafter referred to as “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier (e.g. cookie) or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
“Processing” means any operation or set of operations which is performed on personal data, whether or not by automated means. The term is far-reaching and covers virtually any handling of data.
“Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person. “Profiling” means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyze or predict aspects concerning that natural person's performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location or movements. “Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
“Processor” means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Relevant legal basis
Pursuant to Art. 13 GDPR we notify you of the legal basis for our data processing. If the legal basis is not cited in the data protection statement, the following applies: The legal basis for obtaining consent is Art. 6 Para. 1 (a) and Art. 7 GDPR, the legal basis for processing to render our services and implement contractual measures as well as the to answer queries is Art. 6 Para. 1 (b) GDPR, the legal basis for processing necessary to perform our contracts is Art. 6 Para. 1 (c) GDPR, and the legal basis for processing to pursue our legitimate interests is Art. 6 Para. 1 (f) GDPR.
Pursuant to Art. 32 GDPR, and taking account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
These measures specifically include ensuring the confidentiality, integrity, availability of data through control of physical access to the data, as well as ensuring the respective input, transmission, availability and separation. Furthermore, we have set up processes that ensure an awareness of data subjects’ rights, deletion of data and a response to data threats. Moreover, we take account of the protection of personal data even at the development stage and/or in the selection of hardware, software and processes in accordance with the principle of data protection through technical design and through privacy-friendly default settings (Art. 25 GDPR).
Co-operation with processors and third parties
Should we, as part of our processing, disclose data to other persons and companies (processors or third parties), transmit this data to them or otherwise give them access to the data, this shall only take place on the basis of a legal authorization (e.g. if a transmission of data to third parties, such as a payment services provider, is necessary for the performance of a contract in accordance with Art. 6 Para. 1 (b) GDPR), you have given consent, a legal obligation stipulates this or on the basis of our legitimate interests (e.g. for the use of agents, web hosters, etc.).
Should we engage third parties for the processing of data on the basis of a so-called “processor contract”, this shall take place on the basis of Art. 28 GDPR.
Transfers of data to third countries
Should we process data in a third country (i.e. outside the European Union (EU) or the European Economic Area (EEA)), or should this occur within the remit of using third-party services or disclose/transfer data to third parties, this shall only take place to meet our (pre-)contractual obligations, on the basis of your consent, on the basis of a legal obligation or on the basis of our legitimate interests. Conditional upon legal or contractual authorizations, we only process data in a third country or allow its transfer there subject to the special conditions laid down in Art. 44 et seq. GDPR.
Rights of the data subjects
You have the right to demand confirmation as to whether or not data concerning you are being processed, and, where that is the case, access to this data and further information as laid down in Art. 15 GDPR.
In accordance with Art. 16 GDPR, you have the right to demand the completion of incomplete data concerning you, or the rectification of inaccurate data concerning you.
Pursuant to Art. 17 GDPR, you have the right to demand that relevant data is erased, or alternatively pursuant to Art. 18 GDPR you can demand that a restriction is placed on the processing of the data.
Pursuant to Art. 19 GDPR , you have the right to demand information about the recipients from the controller for which the controller has issued a communication regarding an erasure, rectification or restriction on the processing of your personal data.
Pursuant to Art. 20 GDPR, you have the right to demand that you receive the data concerning you that you have provided to us, and to demand its transmission to other controllers.
Furthermore, you have the right to lodge complaints with a regulatory authority.
Right to withdraw consent
You have the right to withdraw consents at any time with future effect in accordance with Art. 7 Para. 3 GDPR. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Please send your withdrawal of consent to: email@example.com
Right to object
Pursuant to Art. 21 GDPR, you can object to the future processing of data concerning you at any time. Objections can be specifically lodged against the processing for direct marketing purposes. Please send your objection to: firstname.lastname@example.org
Cookies and right to object for direct marketing
The term “cookies” refers to small files that are stored on users’ computers. Various information can be saved within these cookies. A cookie primarily serves to saved information about users (or the devices on which the cookie is stored) during or even after their visits to a website. The terms temporary cookies or “session cookies” or “transient cookies”, refer to cookies that are deleted after users leave a website and close the browser. Such a cookie can, for instance, save a log-in status or the contents of a shopping cart in an online shop. Cookies are described as “permanent” or “persistent” that remain saved even after the browser is closed. For example, the log-in status can be saved if users visit the site over several days. Likewise, such a cookie can save the interests of the users, which can be used for reach measurement or marketing purposes. “Third-party cookies” are cookies that are offered by providers that differ from the controller that runs the website (otherwise they are the controller’s cookies and are described as “first-party cookies”).
We can employ temporary and permanent cookies and explain this in our data protection statement.
If users do not want cookies to be saved on their computer, they will asked to deactivate the corresponding option in the system settings of your browser. Saved cookies can deleted in the system settings of the browser. The elimination of cookies can impair the functionality of this website.
Erasure of data
Pursuant to Art. 17 and 18 GDPR the data we process is erased or its processing is restricted. Unless expressly stated in this data protection statement, the data saved with us shall be erased as soon as it is no longer required for its purpose and the erasure is not prohibited by any statutory record-keeping obligations. If this data cannot be erased because it is necessary for other and legally permissible purposes, its processing shall be restricted. This means that the data shall be blocked and not processed for other purposes. For instance, this applies to data that has to be stored for reasons of commercial or tax law.
In accordance with statutory requirements in Germany, the period of data storage is specifically 10 years in accordance with Sections 147 Para. 1 of the German Fiscal Code (AO), 257 Para. 1 No. 1 and 4, Para. 4 of the German Commercial Code (HGB) (books, recordings, management reports, accounting records, trading books, documents relevant to taxation, etc.) and 6 years in accordance with Section 257 Para. 1 No. 2 and 3, Para. 4 of the German Commercial Code (HGB) (business letters).
In addition, we process
- Contractual data (e.g. subject matter of the contract, term, customer category).
- Payment details (e.g. bank details, payment history)
of our clients, stakeholders and business partners in order to perform contractual services and customer care, marketing, advertising and market research.
We process the data of our contractual parters and stakeholders as well as other clients, customers or contractual parters (uniformly hereinafter referred to as “contractual parters”) in accordance with Art. 6 Para. 1 (b) GDPR in order to perform our contractual or pre-contractual services for you. The hereby processed data, its type, its scope, including the purpose and the need for its processing is determined by the underlying contractual relationship.
The processed data includes the master data of our contractual parters (e.g. names and addresses), contact details (e.g. e-mail addresses and phone numbers) and contractual data (e.g. services used, contractual content, contractual communications, names of contact persons) and payment details (e.g. bank details, payment history).
In principle, we generally do not process some special categories of personal data unless these are components of commissioned or contractual processing.
We process data that is necessary to justify and provide contractual services and point out the necessity of its input if this is not evident to contractual parters. Disclosure to external persons only takes place if this is necessary within the framework of a contract. When processing data passed to us within the framework of a contract, we act in accordance with the instructions from the client as well as the statutory requirements.
When our online services are used we can store the IP addresses and the time of the respective user activity. This storage takes place to safeguard our legitimate interests and the interests of users, i.e., to provide protection against abuse and other unauthorized usage. This information is generally not passed to third parties unless it is necessary to pursue our entitlements in accordance with Art. 6 Para. 1 (f) GDPR or there is a legal obligation to do so in accordance with Art. 6 Para. 1 (c) GDPR.
Data shall be erased if its storage is no longer necessary to fulfill contractual or legal duties of care and/or to deal with any warranty and similar obligations, whereby the necessity of the data storage shall be verified every three years; otherwise the statutory data storage obligations apply.
Administration, financial accounting, office organization, contact management
We process data in the course of administrative tasks and the organization of our business, financial accounting and compliance with legal obligations, such archiving. We hereby process the same data that we process in the course of performing our contractual services. The statutory basis for this processing are Art. 6 Para. 1 (c) GDPR, Art. 6 Para. 1 (f) GDPR. This processing pertains to clients, stakeholders and website visitors. The purpose and our interest in this processing is administration, financial accounting, office organization, archiving of data, i.e., tasks that serve the maintenance of our business activities, the undertaking of our responsibilities and the performance of our services. The erasure of data with respect to contractual services and contractual communications corresponds to the details cited for these processing activities.
We hereby disclose or transfer information to the tax authorities, advisors (e.g. tax advisors or auditors) as well as other fee-collecting agencies and payment services providers.
Based on our commercial interests, we also store information about providers of goods and services, event organizers and other business partners, e.g. for the purposes of contacting them at a later date. We generally store this mostly company-related data permanently.
Data protection information in job application procedures
Applicants can send us their job applications via e-mail. However, please note hereby that e-mail messages are generally not encrypted and applicants are responsible for the encryption themselves. We can therefore not assume any responsibility for the application’s transmission route between the sender and its receipt on our server. We therefore tend to recommend that applicants send their applications by post.
We only process applicant data for the purpose of and within the framework of the application procedure in compliance with the statutory requirements. The processing of applicant data is used as a basis for hiring decisions in accordance with Section 26 of Germany’s Federal Data Protection Act (BDSG) and Art. 6 Para. 1 (f) GDPR provided the data processing is necessary for us, for example within the scope of legal proceedings.
The application procedure presupposes that the applicant has sent us the applicant data. We receive the necessary applicant data via e-mail. The data otherwise arises from the job descriptions and generally includes personal details, postal and contact addresses, and documentation relating to the application, such as the letter of application, the curriculum vitae and the references. Besides this, applicants can provide us with additional information voluntarily.
Should special categories of personal data as laid down in Art. 9 Para. 1 GDPR be provided voluntarily as part of the application procedure, they shall also be processed in accordance with Art. 9 Para. 2 (b) GDPR (e.g. health data, such as severe disability status, or ethnic background). Should special categories of personal data as laid down in Art. 9 Para. 1 GDPR be requested for applicants as part of the application procedure, they shall also be processed in accordance with Art. 9 Para. 2 (a) GDPR (e.g. health data, if this is required to carry out the job).
In the event of a successful application, the information provided by applicants can continue to be processed by us for employment-related purposes. Otherwise, if the application for a job offer is not successful, applicants’ data shall be erased. Applicants’ data shall also be erased if an application is withdrawn, which applicants are entitled to do at any time.
Conditional upon a justified revocation by the applicant, the erasure takes place after a period of six months so that we can answer any questions about the application afterwards and fulfill our obligations arising from Germany’s General Equal Treatment Act (Allgemeinen Gleichbehandlungsgesetz). Invoices pertaining to the reimbursement of any travel expenses are archived corresponding to the tax law requirements.
Initiation of contact
When initiating contact with us (e.g. using a contact form, e-mail, telephone, or via social media), the users’ information is handled to process the contact query and its administration in accordance with Art. 6 Para. 1 (b) GDPR. The user data can be stored in a customer relationship management system ("CRM system") or similar query organization.
We delete the queries provided these are no longer required. We verify the necessity every three months. Furthermore, the statutory archiving obligations apply.
Hosting and e-mail distribution
The hosting services we use serve to provide the following services: Infrastructure and platform services, computing capacity, storage space and database services, e-mail distribution, security services and technical maintenance services that we use in order to run this online content.
We and/or our hosting provider hereby process personal data, contact details, content data, contractual data, usage data, meta and communications data of clients, stakeholders and visitors to this online content based on our legitimate interests an an efficient and secure provision of this online content in accordance with Art. 6 Para. 1 (f) GDPR in conjunction with Art. 28 GDPR (conclusion of a processor contract).
Collection of access data and log files
We and/or our hosting provider collect data based on our legitimate interests as laid down in Art. 6 Para. 1 (f) GDPR about every access transaction on the server on which this service is running (so-called server log files). The access data includes the name of the web page accessed, file, time date and time of access, volume of transmitted, report of successful access, browser type (incl. version), the operating system of the user, referrer URL (the web page visited previously), IP address and the requesting provider.
For security reasons (e.g. to investigate cases of abuse or fraud), log-file information is stored for a maximum of 7 days and then erased. Data whose continued storage is required for evidence purposes is excepted from erasure until the respective incident has been clarified in full.
Google will use this information on our behalf to measure how users utilize our online content in order to compile reports about the activities within our web content and perform further services for us that are associated with the use of this web content and Internet usage. At the same time, pseudonym user profiles can be created for users from the processed data.
We only use Google Analytics with active IP anonymization. This means that Google abbreviates user IP addresses within member states of the European Union or in other states party to the European Economic Area agreement. The full IP address is transferred to a Google server in Ireland and abbreviated there only in exceptional cases.
The IP address communicated by the user’s browser is not collated with other Google data. Users can stop the cookies from being saved by using a corresponding setting in their browser software. In addition, users can also prevent the collection of the data generated by the cookie and transferal of the data relating to their usage of the online content to Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link: http://tools.google.com/dlpage/gaoptout?hl=de.
Further information about the use of data by Google, settings and opt-out options can be found in Google’s data protection statement (https://policies.google.com/technologies/ads ) as well as in the settings for the personalization of adverts by Google (https://adssettings.google.com/authenticated).
Users’ personal data is erased or anonymized after 14 months.
Online presences in social media
We maintain online presences within social networks and platforms in order to communicate with clients, stakeholders and users who are active in these domains and to inform them about our services.
Please note that data pertaining to users outside the European Union can be processed. This can give rise to risks for users because, for instance, it could be more difficult for such users to exercise their rights.
Furthermore, the user data is generally only used for market research and advertising purposes. For instance, the usage patterns and resulting interests of the user can be used to create usage profiles. Usage profiles can in turn be used to activate adverts, both within the platform and outside it, that presumably correspond to the interests of the user. To this end, cookies are generally saved on the user’s computers that store the usage patterns and interests of the user. Furthermore, the usage profiles can also save data irrespective of the device utilized by the user (especially if the user is a member of the respective platforms and is logged into them).
The processing of personal data is undertaken on the basis of our legitimate interest in effective transfer of information to users and communication with users in accordance with Art. 6 Para. 1 (f) GDPR. If users are asked by the respective providers for consent to data processing (i.e. granting their consent by ticking a check box or clicking on a confirmation button for instance), the legal basis for the processing is Art. 6 Abs. 1 (a), Art. 7 GDPR.
For a detailed illustration of the respective processing procedures and opt-outs, we refer to the following linked content from the providers themselves.
In the event of information queries and enforcement of user rights, too, we point out that this can be done most effectively with the providers. Only the providers have respective access to the user data and can take corresponding action directly and provide information. Should you, however, require assist, please feel free to contact us.
- Facebook (Facebook Ireland Ltd., 4 Grand Canal Square, Grand Canal Harbour, Dublin 2, Ireland) - Data protection statement: www.facebook.com/about/privacy/, Opt-out: www.facebook.com/settings and www.youronlinechoices.com,
- Google/ YouTube (Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland) – Data protection statement: policies.google.com/privacy, Opt-out: adssettings.google.com/authenticated,
- LinkedIn (LinkedIn Ireland Unlimited Company Wilton Place, Dublin 2, Ireland) - Data protection statement www.linkedin.com/legal/privacy-policy , Opt-out: www.linkedin.com/psettings/guest-controls/retargeting-opt-out,
- Xing (XING AG, Dammtorstraße 29-32, 20354 Hamburg, Germany) - Data protection statement/ Opt-out: https://privacy.xing.com/de/datenschutzerklaerung.
Integration of third-party services and content
Based our legitimate interests (i.e. interest in the analysis, optimization and commercial operation of our online content as laid down in Art. 6 Abs. 1 (f) GDPR), we use content or service offerings from third-party providers within our online content in order to integrate their content and services, such as videos or fonts (hereinafter uniformly described as “content”).
This always presupposes that the third-party providers of this content are aware of the user IP addresses because they cannot send the content to the users’ browser without the IP addresses. The IP address is therefore necessary for the presentation of this content. We endeavor only to use such content for which the respective providers merely use IP addresses for the delivery of content. Third-party providers can furthermore use so-called pixel tags (invisible graphics, also referred to as “web beacons”) for statistical or marketing purposes. “Pixel tags” can be used to evaluate information about the pages of this website (e.g. visitor traffic). The pseudonym information can furthermore be stored in cookies on users’ devices and (among other things) can contain technical information about the browser and operating system, linking websites, visit duration as well as other information about the use of our online content. It can also be linked with such information from other sources.
We integrate videos from the “YouTube” platform from the provider Google Ireland Ltd., Gordon House, Barrow Street, Dublin 4, Ireland. Data protection statement: www.google.com/policies/privacy/, Opt-out: https://adssettings.google.com/authenticated.